The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that a critical vulnerability in Citrix ShareFile is being targeted by unknown actors, and has added the flaw to its catalog of known security flaws exploited in the wild, tracked as CVE-2023-24489.
Citrix ShareFile (also known as Citrix Content Collaboration) is a managed file transfer SaaS cloud storage solution that allows customers and employees to upload and download files securely. CISA's alert went out August 16th.
On June 13th, Citrix released a security advisory on a new ShareFile storage zones vulnerability tracked as CVE-2023-24489 with a critical severity score of 9.8/10, which could allow unauthenticated attackers to compromise customer-managed storage zones.
From the advisory: "A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller."
Cybersecurity vendor experts offered their commentary on the advisory.
Dave Randleman, Field CISO at Coalfire:
"When exploited, this vulnerability lets attackers bypass authentication systems, allowing the attacker to remotely compromise ShareFile's 'zone controller.'
These zone controllers extend the ShareFile Software as a Service (SaaS) cloud storage by providing your ShareFile account with private data storage. ShareFile's private, customer-managed storage is often used to store encryption keys, which makes this vulnerability increasingly concerning, as attackers would be able to pivot into decryption of sensitive data.
Security teams need to rapidly access if they're utilizing ShareFile zone controller, outside side ShareFile of cloud environments. This vulnerability only affects customer-managed zone controllers. Teams utilizing ShareFile through Citrix's cloud platform are unaffected.
A new version of the zone controller is already available that fixes this potential exploit. Security teams should assess their ShareFile versions to make sure they're at least using a version newer than 5.11.24."
Travis Smith, Vice President, Threat Research Unit, at Qualys:
"This is an interesting vulnerability, a highly prevalent software with deployment globally In the private sector and in government agencies. Security teams should be concerned that this vulnerability could be exploited to deploy ransomware or exfiltrate data. This is very similar to the MOVEit vulnerability that resulted in multiple data breaches. The Qualys Threat Research Unit is closely monitoring the threat landscape to see if this is weaponized."
John Gallagher, Vice President, Viakoo Labs, at Viakoo:
"Organizations need to patch, however, the question is how long will threat actors have to exploit this vulnerability. Many organizations lack an inventory of their devices and applications, specifically around what versions they have. The ideal situation would be to have full visibility down to the firmware version number, combined with automated patching, and in the future, with SBOMs tied to each application. "
CISA's alert concludes: "CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria."
UPDATE on August 18:
A Citrix representative contacted SecureWorld News to provide the following clarification on behalf of David Le Strat, SVP of Product and Technology for ShareFile:
"We take security very seriously and protecting our customers' data is a cornerstone of our products. Please see our Security Update for the most up-to-date information.
We have seen some inaccuracies in reporting of the news, and want to ensure that the most up-to-date and accurate information is shared with regard to this vulnerability, and ShareFile's approach to assuring the safety of customers' data. Please see below a timeline of ShareFile's response to this incident and accurate figures in regard to the impact on customers.
Timeline:
Impact of Incident: